The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I have yet to find it. I'm going through the process of learning how to get all of a P3P policy done and implemented. I downloaded the IBM Editor and finally got it running. Then I got a policy written. Between the w3.org pages and the IBM Editor help I got it figured out. It is not as complex as they make it sound. Things like the 'Well Known Location' being repeatedly referred to drove me crazy. I finally stumbled across what they meant in a help file. It would have been much easier if I had been told 'put everything in a w3c folder and things this and this. Oh well...

If any one else wants this info, I have it now. If there is enough interest I will post on the company web site.

I just got a policy written. My plan for implementation is use one of my small client's sites that uses cookies. I plan to install the basic policy file in the "well known location" (siteroot/w3c/p3p.xml) without making any change to the present pages. Initially I will avoid supplying the support pages, the human version of the policy, a dispute resolution page, etc. I'll include the references in the policy, just omit the actual pages from the site for now.

Once the policy is installed I'll see if it affects MSIE 5.x browsers. If so I'll remove it and move testing to a lab server in-house.

Then I'll browse the site with MSIE 6 beta. I want to see what type of on screen messages I am getting with various settings in the MSIE6. Once I have that information, I'll remove the policy and see what MSIE6 does. I am curious if I will start to see 404's reported in the site logs from MSIE6 requests for policy info if it is not there. Once I have that information I'll decide what to do next.

From the rhetoric I am reading on how poorly P3P will protect people, I am assuming I can create a policy file that will allow me to retrieve the data I need without complaints from the browser. From my study so far, I have not found anything to keep one from lying when they create their policy. I expect that to push reputable sites into using 3rd party verification and site approval seals. But there does not appear to be serious security to keep one from creating their own Seals and 3rd party verification systems. I would expect this to force the creation of laws to allow some type of enforcement of privacy policies. Hopefully it will take years for the politicians to catch up.

Until I have the MSIE 6 browser up, I do not completely understand either.

The cookie handling and the P3P can be seperate on the design side. As I understand the MSIE6 browser will look for a P3P policy. When you save or request cookie info, the browser wants to know what type of info you are saving or requesting before supplying it. All it can really know is what you tell it. So, when you request a cookie named "secretinfo" or whatever you have named it, it will have to look at your policy to see what you have said this info is. So, you have to ID the data or give it a class of data. Then MSIE6 or other P3P standard compliant browser will use what you told it and the user's settings to decide if it should give it out or not.

Obviously, most sites will not have P3P policies when MSIE 6 is released. So, cookies as used on most sites and without P3P policies have to be handled. I doubt MS would want to break all the e-com sites out there that use cookies. I assume it will be pretty lax in the beginning. P3P is not a have to right now.

Once you have the Editor and the Help files for it, this will make more sense. The problem here is not a lack of information. For me it is that there is so much I can't find the basic stuff I want. Plus everything is in development and buggy. Like they don't tell you the IBM Editor will not work with just MS JScript, you have to have a real Java Environment for it to work.

I understand that first-party cookies are from the primary site. So, I could have problems saving info from secession to secession. This would also mean that cookies appear to work while one is on the site. But, closing the browser would delete the cookies.

Additionally, MS says, "If a user visits www.wideworldimporters.com over a secure connection using Secure Hypertext Transfer Protocol (HTTPS), content on the page that is not using HTTPS is considered third-party content." Does that mean that cookie data set outside the HTTPS is third-party and probably not accessible from the HTTPS pages or is cookie data set in a HTTPS page probably not available to non HTTPS pages?

I wont get a working IE6 until this weekend. After reading MS material I get head aches. I have to try it before I am sure I understood what they wrote.

The news group for the IE6 public beta has people asking about cookie problems at various types of sites. These seem to be few but then not many people trying the IE6 know about the news groups.

I am wondering how IE6 will know what data is 'unsatisfactory' if there is no P3P privacy policy on the site. So, what happens to undefined cookies? If undefined cookies could be used, why would anyone care what the standard is? It would be most simple to ignore it in that case. So, I suspect they will make it a problem.

I'm mostly concerned about my client sites that have give-a-ways and free samples. I use cookies to track who has already requested samples and who has not. Once a sample request has been completed and sumitted a cookie is loaded with a varable holding a date. As long as that varable is in the cookie, the pages omit the free sample references. I would hope that a date could not be identified as personally identifiable data and ruled unsatisfactory. I guess I'll find out.

I'm not sure that first party cookies are killed upon closing the browser. It seems to be working fine on my test site.

Ie6 is such a pain! I don't know if it really offers all that much from the previous versions (my latest was 5.0)... It keeps crashing on me whenever I close it (of course its just a beta version). It does have a handy "Delete All Cookies" button.